The public sector must focus not only on attacks, but on how it responds and recovers from them, Zerto and Cyber Security Scotland told attendees at the recent Local Government ICT Summit
Credit: QuoteInspector/CC BY-ND 4.0
Whether or not they are technologists by profession, most people in the public could offer a pretty accurate definition of ‘cybersecurity’.
It would, at least in essence, probably mimic that of the Oxford English Dictionary: “The state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this.”
In short: keeping the baddies out.
The idea of ‘cyber resilience’ would likely be less familiar.
But, as attendees of the PublicTechnology Local Government ICT Summit heard earlier this month, it is perhaps an even more important concept.
“Most organisations look at the security of their datacentre, and put in processes and controls and technology to prevent an attack. What is also important – and what we should be looking at more – is that you are safeguarding your data… and ensuring you can recover it, in the event of a cyberattack.”
Martin Humphrey, Zerto
During a panel discussion, Martin Humphrey, an enterprise systems engineer at disaster recovery and backup firm Zerto, said: “Cyber resilience is the ability to prepare for, respond to, and recover from a cyberattack.”
The latter two parts of this definition are the key; many organisations place great emphasis on protecting against attacks. But, given that almost all businesses and public sector bodies will be hit by a successful attack at some point, responding to and recovering from them is crucial.
“What is important is that, while an organisation is being attacked by ransomware or malware, it has the ability to [continue to] operate and to recover,” Humphrey said. “Businesses shouldn’t shut if they get infected by ransomware – they should be able to operate, and to recover quickly.”
He added: “Most organisations look at the security of their datacentre, and put in processes and controls and technology to prevent an attack. What is also important – and what we should be looking at more – is that you are safeguarding your data… and ensuring you can recover it, in the event of a cyberattack.”
Public sector entities in Scotland may be better versed in cyber resilience than their English counterparts.
The Scottish Government set out a national strategy in 2015, and this was followed by a public sector action plan and an initiative that aims to support all organisations in becoming cyber resilient.
The Cyber Resilience Framework offers, firstly, a self-assessment tool for public bodies to understand their current state of resilience, and then gathers in one place a range of tools and materials to help achieve compliance with a wide range of differing regulations, guidance, and certifications. This includes the likes of GDPR and the UK Data Protection Act, the requirements of the Public Services Network, PCI DSS payment standards, the Cyber Essentials programme run by the National Cyber Security Centre, the Network and Information Systems regulation, and ISO certifications.
Keith Nicholson of industry network Cyber Security Scotland, who has advised the Scottish Government on cyber resilience since 2013, helped create the framework.
“This was becoming quite a burden on many organisations, who simply lacked the expertise in house, and really didn’t know where to start with what, in some cases, was half a dozen different sets of frameworks, requirements, and guidance,” he said.
The framework is divided into three tiers, the first of which is a ‘baseline’ level that covers Cyber Essentials and other basics. The ‘target’ tier includes the likes of PCI DSS and GDPR, while the top-level ‘advanced’ bracket addresses the requirements of NIS and the ISO27001 information security standard.
“The ambition is that every public sector body in Scotland will achieve the ‘target’ level,” Nicholson said. “This is quite a significant transition for many organisations; but the intention is that organisations be able to track their progress through to their desired tier that they are aiming towards.”
Recovery disasters?
Audits conducted via the framework have shown that, in the business continuity realm, there are many common weaknesses to address.
Collating the results of 21 such exercises, Nicholson told attendees of the summit that a third of them had found the organisation in question had ‘weak’ or ‘unacceptable’ data-recovery policies and procedures.
For back-up and disaster recovery, the figure was 38%. Some 62%, meanwhile, failed to meet acceptable levels of testing for business continuity and disaster recovery.
“While many organisations believe that they are resilient… and back up to a secondary site and to a disaster recovery site, very often that was done in near real-time and so, that means the organisation has no resilience – because, if the primary database is compromised, then that malware will spread to the secondary site and DR site in near-real time,” Nicholson said. “Now, there is no silver bullet to this as to the timing differential between back-ups to the primary site and DR site, but it needs to be examined.”
“[Compliance] was becoming quite a burden on many organisations, who simply lacked the expertise in house, and really didn’t know where to start with what, in some cases, was half a dozen different sets of frameworks, requirements, and guidance”
Keith Nicholson, Cyber Security Scotland
Technology can play a role in this, according to Humphrey from Zerto, who said that organisations can implement tools and services such as continuous data replication.
If doing so, he had this advice: “You should make sure it is non-performance impacting, it shouldn’t be snapshot-based, it should always mean that you’re protected, no matter what, it should be technology-agnostic, it should enable fast recovery, and it should be automated to reduce the amount of effort required.”
But, just as important as the tech is the people and processes.
To be truly resilient, according to Humphrey, everyone has a role to play.
“Everybody in an organisation should have a shared responsibility for securing the IT – whether it is securing the data, or the datacentre,” he said. “Everybody has an obligation to ensure that they are not going to cause a cyberattack or a loss of data. You need to build a strong process and culture.”
Click here to register to watch the whole panel discussion with Zerto and Cyber Security Scotland, and all the other content from the PublicTechnology Local Government ICT Summit – registration is free for representatives of the public sector.
